The Importance of Building Alert Rationale

Politically Exposed Person’s (PEPs), Sanctions and Adverse Media alerts all require rationale to explain whether an alert is a false positive, true match or if further information is requiredInvestigators will normally have to compare two sets of information and look for differences in order to make a decision, this can only be done by using reliable information and a common-sense risk-based approach. 

Alert investigations are performed over different levels, this is normally dictated by the number of alerts generated. As a rule, organisations with a large international footprint will generate more alerts simply because of their exposure to international markets, additional country list inclusion and threshold settings 

Larger organisations will normally have 3 levels of investigation for quality assurance (QA). Once a decision has been made by an analyst; the higher levels of investigation will require senior investigator who understands the level of risk to the organisation. The three levels of investigation ensure the correct alert is investigated by the correct analyst by escalating the alert up through the levels of investigation.  

Level 1 investigation looks at the obvious false positives, the analyst should only need a few seconds to decide on the potential match using the guidance given to them from their process document. Any alert at level 1 which requires evidence to be attached or for further information to be provided by either party should be escalated to level 2 for review.  

Level 2 investigation looks at any alert escalated from level 1 for further review. The level 2 analyst will require more time to do a deep dive and look at all the information in hand. The investigator can discount the alert, attaching the information used in the investigation or escalate the alert to level 3 if they find a match. If the match relates to a transactiona request for further information on the parties involved may be requested to provide additional information to discount the match.  

Level 3 investigators deal with any full matches or alerts which cannot be eliminated at level 1 or 2. Senior investigators may also have the responsibility of creating safeguards and changes to the investigation process depending on the outcome of their investigation.   Depending on the type of investigation, full matches should take different routes through the organisation as the level of risk will differ: 

  • PEP matches will require additional Customer Due Diligence (CDD)/Enhanced Due Diligence (EDD) and internal flags. 
  • Sanctions matches will require reporting to the Money Laundering Report Officer (MLRO) and the relevant authorities.  
  • Adverse Media individuals or entities may be required to be exited from the customer base. 

Throughout, the process rationale is required to describe the difference in two sets of information and how an investigator came to their decision. Senior management must have confidence that an investigation has taken place and every alert has been looked upon with a fresh pair of eyes. 

Organisations can adopt many safeguards to ensure every alert generated has followed the process and the correct outcome was achieved. They can do this by ensuring each alert has a robust rationale explaining the steps taken in the investigation and how the investigator came to their decision. four-eyes check on all false positives should also be incorporated into the investigation process to ensure every alert is investigated correctly.  

The consequences of not having a robust rationale explaining the investigation process can lead to regulatory breaches or lengthy and expensive remediation projectsHowever, this may all be avoided by implementing a strong system to ensure regulatory compliance.  

Building a strong rationale should be considered as important as the investigation itself: the rationale should explain the difference between two parties by looking at credible and reliable information. An investigator may ask many questions on each alert they review, the rationale should provide details of how the investigator came to their decision and what their thought process was.  

Lower-level false positives will not require detailed rationale with lengthy explanations, as the information available is strong enough to discount the potential match Where the information for a Specially Designated National (SDN)/Politically Exposed Person (PEP)/Special Interest Person (SIP) (Adverse Media) entry is limited or unreliablean investigator must think outside of the box and look at what information is available in order to make a comparison 

Investigating analysts may often have to use external sources to gather information on their customer or SDN/PEP/SIP (Adverse Media), once enough information has been collated and compared against each other, only then can the investigator decide 

As it is possible for internet pages to be updated by anyone, investigators must be careful when choosing what websites, they use to support their investigation. Below is a list of websites that are considered acceptable. 

  • Stateowned websites 
  • Political party websites  
  • BBC News or similar mainstream news outlet 
  • Established broadsheet.  
  • LinkedIn  
  • Customers own website  


The following may be considered internal and external sources of additional information: 

  • Historic information – other key facts perhaps from related cases or previously generated alerts 
  • Age – it is possible the customer could be the SDN/PEP/SIP (Adverse Media) entry 
  • Children and other family members – information on numbers, names and ages of children 
  • Occupation – customers occupation and salary can be compared.  
  • Material status – is the customer or SDN/PEP/SIP (Adverse Media) entry married, single, divorced or widowed. 
  • Effective Googling – SDN/PEP/SIP (Adverse Media) entry or customer information may be available from reliable sources online. 


Best practice dictates investigators should use actual screenshots of any information used in the investigation process and not website URLs as once the website content is no longer available the rationale will not carry weight at a later review. 

Investigators will document their investigation and add rationale detailing the justification they have reached. If the investigator cannot eliminate the alert using the information available, then the investigator must tie in all the information gathered internally and externally to produce their rationale. Small differences in personal information can add up and allow the investigator to use the balance of probability to make their decision. 

SQA Consulting have provided an invaluable insight to ensure financial institutions are regulator ready by providing end to end resources on complex AML projects. For more information contact us.

Get In Touch

Technology Consulting Partners